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What  we  hear. 
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Attackers  penetrate  the  architecture  easily, 


Goal 

•  Demonstrate 
asymmetric  ease  of 
exploitation  of  DoD 
computer  versus 
efforts  to  defend. 

Result 

•  Multiple  remote 
compromises  of  fully 
security  compliant  and 
patched  HBSS* 
computer  within  days: 

•  2  remote  accesses. 

•  25+  local  privilege 
escalations. 

•  Undetected  by  host 
defenses. 


HBSS  Workstation 
Penetration  Demonstration 


t'J*  hf’.rtn  luOfc  t*Hu 
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Hijacked 
web  page 


News  Release 

DtFenu  Ailvuuced  Reward  Projetlt  Aftvttry 


Infected  .pdf 
document 


Total  Effort:  2  people,  3  days,  $18K 


HBSS  Costs:  Millions  of  dollars  a  year  for  software  and  licenses 

alone  (not  including  man  hours)  *  =  HOst  Based  security  system  (hbss> 
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Users  are  the  weak  link... 
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The  supply  chain  is  potentially  compromised... 


Approximately  3500  ICs. 

•  200  unique  chip  types. 

•  208  field  programmable  gate  arrays  (FPGAs). 

•  64  FPGA  and  9  ASIC  types  across  12 
subsystems. 

78%  of  FPGAs  and  66%  of  ASICs  manufactured 
in  China  and  Taiwan. 


JSF  FPGA  &  ASIC  Usage 


FPGA 

Manufacture  Location 


ASIC 

Manufacture  Location 
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Our  physical  systems  are  vulnerable  to  cyber  attacks. 


VI  Nation 


(tile  toflsJjtiijpn  post 


SATURDAY,  JANUARY  16,  2010 


U.S.  plans  to  issue  official  protest  to  China  over  attack  on  Coogle 


BY  £LLbN  NUUBHDU 

The  United  States  will  issue  an 
official  protest  to  the  Chinese 
government  over  a  major  espio¬ 
nage  attach  targeting  Googled 
computer  systems  and  rights  ac¬ 
tivists’  e-mail  accounts  that  the 
search- engine  giant  said  originat¬ 
ed  in  China. 

“We  will  be  issuing  a  formal  de- 
marclli 
ment  ir 
the  cob 
next  v* 
spohesi 
day. 

The 

“express 


cident”  and  seek  an  explanation, 
he  said.  The  move  may  signal  a 
shift  for  an  administration  that 
lias  been  reluctant,  according  to 
China  experts,  to  press  sensitive 
issues  such  as  human  rights,  lest 
it  offend  a  country  whose  cooper¬ 
ation  it  seeks  in  other  areas. 

On  Tuesday;  in  a  rare  disclo¬ 
sure  by  a  major  firm,  Google  an¬ 
nounced  that  its  “corporate  infra¬ 
structure”  had  been  hacked  and 


Chinese  cyber  attack: 

“Highly  sophisticated  and  targeted 
attack"  on  Google  corporate 
infrastructure  (known  as  Aurora) 


Google,  were  affected. 

Google  also  said  it  will  no  lon¬ 
ger  filter  Internet  searches  on  its 
Chinese  search  engine,  Goo- 
gle.cn.  Although  it  did  not  direct¬ 
ly  accuse  Chi  na ,  the  Si  licOn  Valley 
technology  titan  threatened  to 
pull  out  of  the  country  if  the  gov 
e  rnment  does  not  allow  it  to  ope  r- 
ate  uncensored.  Chinese  officials 
said  that  tlieir  laws  ban  hacking 
and  that  Chinas  Internet  is  open, 
ded  a 
rpes  of 
China, 
mentis 
vith  a 
n  that 
■  Rod- 
Fhurs- 


day:  She  is  expected  to  allude  to 
the  incident.  'When  she  talks 
about  this  issue,  China  will  be 
one  of  the  countries  slue  points 
to,”  an  administration  official 
said. 

“You  couldn’t  have  picked  a 
worse  company  to  hack  if  you 
wanted  to  not  irrifai 
leans,”  said  James  A. 
ber  and  national  sei 
at  the  Center  for  S 
International  Studi 
their  favorite  child, 

Google.  The  firing  ch 
advises  President 
technology,  and  its  i 
tions  are  seen  as  th 
novation  that  Will  d 
economv. 


Officials  said  the  administra¬ 
tion  has  raised  concerns  about 
cybersecurity  and  Internet  free¬ 
dom  with  China  before.  But  by 
formally  protesting  to  the  Chi¬ 
nese,  the  United  States  is  elevat¬ 
ing  the  issues  to  a  new  level,  pol¬ 
icy  experts  said.  Richard  N.  Ro- 


Small  group  of  academics  took 
control  of  a  car  using  Bluetooth 
and  OnStar.  They  were  able  to 
disable  the  brakes,  control  the 
accelerator,  and  turn  on  the 
interior  microphone. [1] 


K.  Koscher,  et  al.  "Experimental  Security  Analysis  of  a  Modern  Automobile,"  in  Proceedings  of 
the  IEEE  Symposium  on  Security  and  Privacy,  Oakland,  CA,  May  16-19,  2010. 


said  his  analysis  of  results  from  a 
technology  firm  investigating  the 
attacks  suggests  that  they  “were 
not  state-sponsored  Or  the  work 
Of  an  elite,  sophisticated  group 
such  as  the  Chinese  military” 
Nonetheless,  said  Sophie  Rich¬ 
ardson,  xAsia  advocacy  director 
io- 


False  speedometer  reading 
Note  that  the  car  is  in  park.. 
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We  are  doing  a  lot,  but  we  are  losing  ground... 
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Ground  truth... 


I7i 
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Cyber  Incidents  30'000 
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2006  2007  2008  2009  2010 


Federal  Cyber  Incidents  and  Defensive  Cyber  Spending 
fiscal  years  2006  -  2010 


[1]  GAO  analysis  of  US-CERT  data. 

GAO-12-137  Information  Security:  Weaknesses  Continue 
Amid  New  Federal  Efforts  to  Implement  Requirements 

[2]  INPUT  reports  2006  -  2010 
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Why? 
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Lines  of  Code 


We  are  divergent  with  the  threat... 


*  Public  sources  of  malware  averaged  over  9,000  samples 
(collection  of  exploits,  worms,  botnets,  viruses,  DoS  tools) 
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#  Passwords 


L7A 


User  patterns  are  exploitable 


A  recent  Defcon  contest  challenged  participants  to  crack  53,000  passwords. 

In  48  hours,  the  winning  team  had  38,000. 


40,000 


30,000 


10,000 


20,000 


Profile  for  the 
winning  team, 
Team  Hashcat 


Time 


-v* 
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Additional  security  layers  often  create  vulnerabilities... 


October  2010  vulnerability  watchlist 


Vulnerability  Title 

Fix  Avail? 

Date  Added 

XXXXXXXXXXXX  XXXXXXXXXXXX  Local  Privilege  Escalation  Vulnerability 

No 

8/25/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Denial  of  Service  Vulnerability 

Yes 

8/24/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Buffer  Overflow  Vulnerability 

No 

8/20/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Sanitization  Bypass  Weakness 

No 

8/18/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Security  Bypass  Vulnerability 

No 

8/17/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Multiple  Security  Vulnerabilities 

Yes 

8/16/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Remote  Code  Execution  Vulnerability 

No 

8/16/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Use-After-Free  Memory  Corruption  Vulnerability 

No 

8/12/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Remote  Code  Execution  Vulnerability 

No 

8, 

/ 10/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Multiple  Buffer  Overflow  Vulnerabilities 

No 

8 

6  of  the 

XXXXXXXXXXXX  XXXXXXXXXXXX  Stack  Buffer  Overflow  Vulnerability 

Yes 

8 

vulnerabilities 

XXXXXXXXXXXX  XXXXXXXXXXXX  Security- Bypass  Vulnerability 

No 

8 

are  in  security 

XXXXXXXXXXXX  XXXXXXXXXXXX  Multiple  Security  Vulnerabilities 

No 

8 

software 

XXXXXXXXXXXX  XXXXXXXXXXXX  Buffer  Overflow  Vulnerability 

No 

7/29/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Remote  Privilege  Escalation  Vulnerability 

No 

7/28/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Cross  Site  Request  Forgery  Vulnerability 

No 

7/26/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Multiple  Denial  Of  Service  Vulnerabilities 

No 

7/22/2010 

Color  Code  Key: 


Vendor  Replied  -  Fix  in  development 


Awaiting  Vendor  Reply/Confirmation 


Awaiting  CC/S/A  use  validation 
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These  layers  increase  the  attack  surface... 


leeeee 


Constant  surface  area 
available  to  attack 


ieeee 


Regardless  of  the 
application  size, 
the  system  loads 
the  same  number 
of  support 
functions. 


ieee 


100 


80  100 
file  # 


For  every  1,000  lines 
of  code,  1  to  5  bugs 
are  introduced. 


120  140  160  180  200 
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We  amplify  the  effect  by  mandating  uniform  architectures 


EXECUTIVE  OFFICE  OF  THE  PRESIDENT 

nFFlfcE  OF  MANAGEMENT  ANO  E  L  OG  ET¬ 
TAS'- IN  GTQt!,  C.C.  205B5 


March  22.  2007’ 


M-07-11 

MEMORANDUM  FOR  THE  HEADS  OF  DEPARTMENTS  AND  AGENCIES 

FROM  Clay  Johnson 

Deputy'  Director  for  Management 

SUB  JECT  Implementation  of  Commonly  Accepted  Security-  C  onfigmatioas  for 

Window's  Operating  Systems 

To  improve  information  security  and  reduce  overall  IT  operahns^cGsty  agencies  who 
toe  Windows  XP  ™  deployed  and  plan  to  upgrade  to  die  Vista™  operating  system  a 
directed  to  adopt  the  security7  configurations  developed  by  the  National  Institute  of 
Standards,  and  Technology  (NIST),  the  Department  of  Defense  fDoD)  and  the 
Department  of  Homeland  Security  (DHS). 

The  recent  release  of  the  Vista™  operating  syswm  provides  a  unique  opportunity  ibr 
agencies  to  deploy  secure  configurations  for  the  act  time  when  an  operating  system  is 
released-  Therefore,  it  is  critical  for  .all  Federal  age^ies  to  put  in  place  the  proper 
governance  structure  with  appropriate  policies  to  ens\p  a  very  small  number  of  secure 
configurations  are  allowed  to  be  used 

DoD  has  worked  with  NIST  and  DHS  to  reach  a  cons  msusVueemenc  on  secure 
configurations  of  the  Vista™  operating  system  and  to  deplonVtandard  secure  desk  tops 

for  \VffldO WS  XP™  In  VHfmflTlQ1''1  c-g^rnnp  fwrwall  T'v^i-F^Tmiinf.p-  n 

improved,  and  overall  c 

Agencies  with  these  op< 
must  adopt  these  stands 
requested  to  submit  thei 
fisma  g'omb.  eop.gov.  T 
to  improve  our  security 
requirement,  please  cor 
Technology-  at  [202)39: 


To  improve  information  security  and  reduce  overall  IT  operating  costs,  agencies  who 
have  Windows  XP  ™  deployed  and  plan  to  upgrade  to  the  Vista™  operating  system,  are 
directed  to  adopt  the  security  configurations  developed  by  the  National  Institute  of 
Standards  and  Technology  (NIST),  the  Department  of  Defense  (DoD)  and  the 
Department  of  Homeland  Security'  (DHS). 


Approved  for  Public  Release,  Distribution  Unlimited 


The  US  approach  to  cyber  security  is  dominated  by  a  strategy 
that  layers  security  on  to  a  uniform  architecture. 


We  do  this  to  create  tactical  breathing  space, 
but  it  is  not  convergent  with  an  evolving  threat. 
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Technology  is  not  the  only  culprit...  nor  the  only  answer. 
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Economics  matter... 


There  are  multiple  choices  for  addressing  the  supply  chain  vulnerability: 

•  Resort  to  manufacturing  all  chips  in  trusted  foundries. 

This  is  not  feasible  or  sustainable. 

•  Screen  all  chips  in  systems  critical  to  National  Security  or  our  economic  base. 
Despite  recent  advances  in  screening  technology,  this  is  not  feasible,  affordable,  or 
sustainable  at  the  scales  required. 


Process 

Trusted  Design  and 
Untrusted  FAB 

Untrusted  Design 
ASIC 

Untrusted  Design 
FPGA 

Phase  1 

Phase  2 

Phase  3 

Phase  1 

Phase  2 

Phase  3 

Phase  1 

Phase  2 

Phase  3 

Pd 

90.0% 

99.0% 

99.9% 

80.0% 

90.0% 

99.0% 

90.0% 

99.0% 

99.9% 

Pfa 

103 

105 

107 

103 

104 

10-6 

10-3 

10-5 

10-5 

U  of 

Transistors 

Evaluated 

105 

106 

108 

105 

106 

103 

10s 

106 

107 

Time  to 
Evaluate* 

430  H 

240  H 

120  H 

430  H 

240  H 

120  H 

430  H 

240  H 

120  H 

3,500  IC's  on  the  F-35 
Single  FPGA  =  400  million 
transistors 

Modern  chips  =  2.5  billion 
transistors 


Selective  screening  coupled  with  diplomatic  sanctions 
may  create  new  solutions  that  are  both  feasible  and  sustainable. 
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Business  incentives  matter... 


Understanding  them  in  the  context  of  'game  theory'  reveals  the 
problem. 

Bot  Herder  strategy  example: 


Solution  exists: 
weekly  patch, 
kills  branch 


Solution  needed: 
high  cost  solution, 
kills  tree 


Bot  Herder 
Cost 

Bot  Herder 
Return 

Antivirus 

Cost 

Antivirus 

Return 

Short 

Long 

Small 

High 

High 

Low 

High 

Small 

High 

0 

High 

Low 

The  security  layering  strategy  and  antitrust  has  created  cross 
incentives  that  contribute  to  divergence. 

t  =  "exclusive  or"  logical  operation 


*  =  Advanced  Encryption  Standard 
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Layering  and  uniformity  have  created  unintended 
consequences...  we  are  in  need  of  new  choices... 


Examples: 


Belief 

Approach 

Example 

Unintended 

consequence 

Defense  in  depth 

Uniform,  layered 
network  defense 

Host  Based  Security 
System 

Larger  attack  surface 
introduces  more  areas 
of  exploitability  for 
attackers... 

Homogeneous  targets 
that  amplify  effects... 

Users  are  best  line  of 
defense 

Operator  hygiene 

15  character  password 

Users  take  short  cuts 
and  become  enemy 
assets... 

The  interplay  of  technology, 
policy,  incentives  will  favor 
better  security. 

Antitrust  law 
rulings,  use  of 

COTS 

Competition  and 
independence  in 
security  software  and 
COTS 

Cross  incentives  that 
undermine  security 

We  need  new  choices  that  create: 

Users  as  the  best  line  of  defense  without  impeding  operations. 
Layered  defense  without  increasing  surface  area  for  attack. 
Heterogeneous  systems  that  are  inherently  manageable. 
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We  missed  it  too... 
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...let's  fix  it. 
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Cyber 
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